Vulnerability User Guide

Overview

This DEX Pack provides actionable data to determine the impacts, spread, and relative vulnerability to cyber threats throughout your enterprise.

Log4j

Secure infrastructure with simple, actionable data against Log4j vulnerable files.

Dell InsyderH2O UEFI

Identify Dell Insyde UEFI vulnerable systems.

WinVerifyTrust Signature

Determine vulnerable systems to the WinVerify Trust Signature Validation threat.

Log4j

Vulnerability Summary

This graph displays the systems that are secure and those that are still vulnerable to Log4j. The systems that have received an updated patch are in green. Those that have not been updated and are still vulnerable appear in red.

Note: Any system that has less than Log4j version 2.17 is considered vulnerable and will trigger the sensor. See Trigger Information for more details.

Vulnerable Systems

This grid provides details of the system and the files that are vulnerable to Log4j.

Any system that has an Log4j version of 2.17 or lower is considered vulnerable.

Select a system or file from the grid to display more details in the Unpatched Files (Selected) grid. You may also use the search bar to find a specific system.

Unpatched Files (Selected)

This grid displays details of vulnerable files. Included is information on the Full Path (the way that the Log4J vulnerability was accessed), the Run Time (when it occurred), and the number of affected Systems. This grid also has a Run Time Count to determine how many times the vulnerable file has run through the system.

Select either a system or a file from the Vulnerable Systems grid or use the search bar for more details.

Software

This grid shows the System Count of the software installed, Status online or offline, and the Last Use of the selected software.

Use the Software Search bar to populate data in this grid. It does not auto-fill from any other grid or graph.

Double-Click to drill down to SysTrack Resolve. For the system to appear in Resolve, it must be online. The status column shows Online in green and Offline in red.

All Systems – Unpatched Files

This grid alerts you to all the files that are unpatched against an Log4j vulnerability across your enterprise. Use the Search bar to locate a particular Path/File.

Dell InsydeH2O UEFI

Global Filters

Use the Global Filters to find specifics on a group or a model of Dell computers within your enterprise.

Impact Summary

This graph displays the Dell Systems that are patched and secure, and those that are not patched and therefore vulnerable.

Systems

This grid displays the System, Model, and UEFI (Unified Extensible Firmware Interface) version, and the required version of Dell systems in your enterprise.

Select from the drop down arrow to choose Show unpatched systems, Show patched systems, Show all systems.

If the UEFI version is out of date and therefore vulnerable, it will appear in red.

If the UEFI version is up to date and therefore secure, it will appear in green.

Use the System Search bar to find details on a specific system.

WinVerifyTrust Signature

According to Microsoft’s Website, WinVerify is a remote code execution vulnerability. This vulnerability occurs when the WinVerifyTrust function improperly validates the file digest of a specifically crafted PE (Portable Executable) file while verifying a Windows Authenticode signature.1

The data for vulnerability is derived from sensors. See below for how the vulnerability sensors are triggered.

Trigger Information

For the sensor to become true, it needs:

  1. The 'Atera Agent' software was installed. After installation, a system reboot was performed within 1 minute.

  2. Windows defender exclusions. It must have:

  • Default action changed to ignore all threat severity levels (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\ThreatSeverityDefaultAction)

  • Set to never run a scheduled full scan (from 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Policy Manager\ScheduleScanDay)

  • Allow IOAV Protection turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Policy Manager\AllowIOAVProtection)

  • Allow archive scanning turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Policy Manager\AllowArchiveScanning)

  • PUA Protection turned off (from HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\PolicyManager\PUAProtection)

For 2) If the first one, default action changed to ignore all threat levels, is detected, this entire section becomes true. Otherwise, it needs any three of the others.

The overall sensor must have 1 and 2 present to be true.

Global Filters

Use the search bar to find a particular system or filter data from the System Types: All Systems, Only Vulnerable Systems, or Only Secured Systems.

Impact Summary

This graph discloses the number of Vulnerable Systems vs. Secured Systems to the WinVerifyTrust Signature vulnerability.

Systems

This grid displays the data derived from the sensor for the WinVerify Trust Signature Vulnerability. When a sensor is triggered, this grid lists the affected System, Latest Trigger Date, and whether the Sensor (is) Currently Active.

  • If the sensor is currently active and therefore a threat, it will appear red for yes. This means the system needs immediate action.

  • If the sensor is not currently active and therefore does not require intervention, it will appear in green for no.

Reference

1 BetaFred, Dressman, M., & V-Vijnu. (2019, December 19). Microsoft Security bulletin MS13-098 - critical. Microsoft Docs. Retrieved April 14, 2022, from https://docs.microsoft.com/en-us/securityupdates/securitybulletins/2013/ms13-098